29.5. Lightweight Directory Access Protocol
(LDAP)

Written by TomRhodes.

The Lightweight Directory Access Protocol
(LDAP) is an application layer protocol used
to access, modify, and authenticate objects using a distributed
directory information service. Think of it as a phone or record
book which stores several levels of hierarchical, homogeneous
information. It is used in Active Directory and
OpenLDAP networks and allows users to
access to several levels of internal information utilizing a
single account. For example, email authentication, pulling
employee contact information, and internal website
authentication might all make use of a single user account in
the LDAP server's record base.

This section provides a quick start guide for configuring an
LDAP server on a FreeBSD system. It assumes
that the administrator already has a design plan which includes
the type of information to store, what that information will be
used for, which users should have access to that information,
and how to secure this information from unauthorized
access.

29.5.1. LDAP Terminology and Structure

LDAP uses several terms which should be
understood before starting the configuration. All directory
entries consist of a group of
attributes. Each of these attribute
sets contains a unique identifier known as a
Distinguished Name
(DN) which is normally built from several
other attributes such as the common or
Relative Distinguished Name
(RDN). Similar to how directories have
absolute and relative paths, consider a DN
as an absolute path and the RDN as the
relative path.

An example LDAP entry looks like the
following. This example searches for the entry for the
specified user account (uid),
organizational unit (ou), and organization
(o):

29.5.2. Configuring an LDAP Server

FreeBSD does not provide a built-in LDAP
server. Begin the configuration by installing the net/openldap24-server package or port.
Since the port has many configurable options, it is
recommended that the default options are reviewed to see if
the package is sufficient, and to instead compile the port if
any options should be changed. In most cases, the defaults
are fine. However, if SQL support is needed, this option must
be enabled and the port compiled using the instructions in
Section 4.5, “Using the Ports Collection”.

Next, create the directories to hold the data and to store
the certificates:

The next phase is to configure the certificate authority.
The following commands must be executed from
/usr/local/etc/openldap/private. This is
important as the file permissions need to be restrictive and
users should not have access to these files. To create the
certificate authority, start with this command and follow the
prompts:

The entries for the prompts may be generic
except for the
Common Name. This entry must be
different than the system hostname. If
this will be a self signed certificate, prefix the hostname
with CA for certificate authority.

The next task is to create a certificate signing request
and a private key. Input this command and follow the
prompts:

#openssl req -days 365 -nodes -new -keyout server.key -out server.csr

During the certificate generation process, be sure to
correctly set the Common Name attribute.
Once complete, sign the key:

Remember to use the same Common Name
attribute when prompted. When finished, ensure that a total
of eight (8) new files have been generated through the
proceeding commands. If so, the next step is to edit
/usr/local/etc/openldap/slapd.conf and
add the following options:

While editing this file, uncomment the following entries
and set them to the desired values: BASE,
URI, SIZELIMIT and
TIMELIMIT. Set the URI to
contain ldap:// and
ldaps://. Then, add two entries pointing to
the certificate authority. When finished, the entries should
look similar to the following:

This command will prompt for the password and, if the
process does not fail, a password hash will be added to the
end of slapd.conf. Several hashing
formats are supported. Refer to the manual page for
slappasswd for more information.

Next, edit
/usr/local/etc/openldap/slapd.conf and
add the following lines:

password-hash {sha}
allow bind_v2

The suffix in this file must be updated
to match the BASE used in
/usr/local/etc/openldap/ldap.conf and
rootdn should also be set. A recommended
value for rootdn is something like
cn=Manager. Before saving this file, place
the rootpw in front of the password output
from slappasswd and delete the old
rootpw. The end result should
look similar to this: